gcloud firestore databases clone

gcloud firestore databases clone - clone a Google Cloud Firestore database from another

gcloud firestore databases clone --destination-database=DESTINATION_DATABASE --snapshot-time=SNAPSHOT_TIME --source-database=SOURCE_DATABASE [--tags=[KEY=VALUE,…]] [--encryption-type=ENCRYPTION_TYPE : --kms-key-name=KMS_KEY_NAME] [GCLOUD_WIDE_FLAG …]

gcloud firestore databases clone gcloud firestore databases clone --source-database=projects/PROJECT_ID/databases/SOURCE_DATABASE --snapshot-time=2025-05-26T10:20:00.00Z --destination-database=DATABASE_ID

To clone to a CMEK-enabled database:

gcloud firestore databases clone gcloud firestore databases clone --source-database=projects/PROJECT_ID/databases/SOURCE_DATABASE --snapshot-time=2025-05-26T10:20:00.00Z --destination-database=DATABASE_ID --encryption-type=customer-managed-encryption --kms-key-name=projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KEY_RING_ID/cryptoKeys/CRYPTO_KEY_ID

--destination-database=DESTINATION_DATABASE

Destination database to clone to. Destination database will be created in the same location as the source database.

This value should be 4-63 characters. Valid characters are /[a-z][0-9]-/ with first character a letter and the last a letter or a number. Must not be UUID-like /[0-9a-f]8(-[0-9a-f]4)3-[0-9a-f]12/.

Using "(default)" database ID is also allowed.

For example, to clone to database testdb:

gcloud firestore databases clone --destination-database=testdb

--snapshot-time=SNAPSHOT_TIME

Snapshot time at which to clone. This must be a whole minute, in the past, and not earlier than the source database's earliest_version_time. Additionally, if older than one hour in the past, PITR must be enabled on the source database.

For example, to restore from snapshot 2025-05-26T10:20:00.00Z of source database source-db:

gcloud firestore databases clone --source-database=projects/PROJECT_ID/databases/source-db --snapshot-time=2025-05-26T10:20:00.00Z

--source-database=SOURCE_DATABASE

The source database to clone from.

For example, to clone from database source-db:

gcloud firestore databases clone --source-database=projects/PROJECT_ID/databases/source-db

--tags=[KEY=VALUE,…]

Tags to attach to the destination database. Example: --tags=key1=value1,key2=value2

For example, to attach tags to a database:

$ --tags=key1=value1,key2=value2

The encryption configuration of the new database being created from the database. If not specified, the same encryption settings as the database will be used.

To create a CMEK-enabled database:

gcloud firestore databases clone --encryption-type=customer-managed-encryption --kms-key-name=projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KEY_RING_ID/cryptoKeys/CRYPTO_KEY_ID

To create a Google-default-encrypted database:

gcloud firestore databases clone --encryption-type=google-default-encryption

To create a database using the same encryption settings as the database:

gcloud firestore databases clone --encryption-type=use-source-encryption

--encryption-type=ENCRYPTION_TYPE

The encryption type of the destination database. ENCRYPTION_TYPE must be one of: use-source-encryption, customer-managed-encryption, google-default-encryption.

This flag argument must be specified if any of the other arguments in this group are specified.

--kms-key-name=KMS_KEY_NAME

The resource ID of a Cloud KMS key. If set, the database created will be a Customer-Managed Encryption Key (CMEK) database encrypted with this key. This feature is allowlist only in initial launch.

Only a key in the same location as this database is allowed to be used for encryption. For Firestore's nam5 multi-region, this corresponds to Cloud KMS location us. For Firestore's eur3 multi-region, this corresponds to Cloud KMS location europe. See https://cloud.google.com/kms/docs/locations.

This value should be the KMS key resource ID in the format of projects/{project_id}/locations/{kms_location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}. How to retrieve this resource ID is listed at https://cloud.google.com/kms/docs/getting-resource-ids#getting_the_id_for_a_key_and_version. This flag must only be specified when encryption-type is customer-managed-encryption.

Run $ gcloud help for details.